An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

On February 4, 2014, in Robins v. Spokeo, Inc., the Ninth Circuit reversed a district court and held that a plaintiff had standing to pursue a claim for damages under the Fair Credit Reporting Act (FCRA).

Spokeo is a data broker that operates a “people search” website that allows users to obtain information about other individuals, including contact information, marital status, age, occupation, economic health, and wealth level. The complaint asserted that Spokeo violated a number of provisions of the FCRA, such as the requirement that the company, as an alleged “consumer reporting agency,” did not follow reasonable procedures to assure the requisite accuracy of information about consumers or provide notices to providers and users of information. With respect to harm, the named plaintiff, bringing the action on behalf of a putative class, asserted that Spokeo had provided inaccurate information about him – namely, that he had a graduate degree and was wealthy – which diminished his employment prospects and led to anxiety and stress about his damaged ability to obtain work.

The Ninth Circuit easily dispensed with the challenge to standing as a statutory matter. The court reasoned that because the FCRA provides a private right of action that does not require proof of actual damages, so, too, the statute does not require a plaintiff to plead actual damages to have standing.

As for Article III injury-in-fact, the Ninth Circuit required no more in the way of pleading actual damages. The court explained that, first, a plaintiff must allege that his statutory rights have been violated. Second, the statutory rights at issue must protect against “individual, rather than collective, harm.” The plaintiff alleged that he personally was injured by Spokeo’s provison of inaccurate information about him. And his “personal interests in the handling of his . . . information are individualized rather than collective,” and therefore constitute “concrete de facto injuries.” As for causation and redressability, once again, the statutory cause of action controlled: the alleged violation of a statutory provision “caused” the violation of a right conferred by that provision. Likewise, the court reasoned that statutory damages are presumed to redress the alleged injury.

On November 15, 2013, the U.S. Government Accountability Office released a report on the statutory legal protections for consumers with regard to the use of data for marketing purposes by data brokers.

The GAO report canvasses the existing federal consumer legal protections applicable to information resellers and finds them wanting with regard to the use of the data for marketing purposes. Specifically, the GAO concluded the following:

– “[I]nformation about an individual’s physical and mental health, income and assets, mobile telephone numbers, shopping habits, personal interests, political affiliations, and sexual habits and orientation,” can legally be collected, shared, and used for marketing purposes. The report notes limits on HIPAA’s applicability to health-related marketing lists used by e-health websites.

– Although some industry participants have stated that current privacy laws are adequate – particularly in light of self-regulatory measures – there are gaps in the current statutory privacy framework that do not fully address “changes in technology and marketplace practices that fundamentally have altered the nature and extent to which personal information is being shared with third parties.”

– Current law is often out of step with the fair information practice principles.

According to the GAO, Congress should therefore consider strengthening the current consumer privacy framework in relation to consumer data used for marketing while not unduly inhibiting the benefits to industry and consumers from data sharing. In doing so, Congress should consider:

– the adequacy of consumers’ ability to access, correct, and control their personal information in circumstances beyond those currently accorded under FCRA;

– whether there should be additional controls on the types of personal or sensitive information that may be collected and shared;

– changes needed, if any, in the permitted sources and methods for data collection; and

– privacy controls related to new technologies, such as web tracking and mobile devices.

GAO Report at 19, 46-47.

The GAO Report is the most recent expression of support for comprehensive privacy legislation from within the federal government. In this regard, the report echoes the Obama Administration’s 2012 Privacy Blueprint and the FTC’s 2012 Privacy Report, both of which called for baseline privacy legislation. The FTC Privacy Report also reiterated the agency’s support for a privacy law targeted to data brokers. The GAO Report, by contrast, implies that a general privacy law could suffice to address the issues raised by data brokers.

It was less than a year ago that the Federal Trade Commission announced amendments to the regulations implementing the Children’s Online Privacy Protection Act (COPPA), which went into effect on July 1, 2013. But COPPA has never covered teenagers, and a bipartisan group of senators and congressman seeks to change that. On November 14, 2013, Senator Edward Markey (D-MA) and Representative Joseph Barton (R-TX), with Senator Mark Kirk (R-IL) and Representative Bobby Rush (D-IL), introduced the Do Not Track Kids Act of 2013 (S. 1700, H.R.3481), which would amend COPPA and introduce additional provisions to govern the collection and use of teens’ personal information.

Broadly-stated, the bipartisan-sponsored legislation would:

Prohibit online properties from collecting personal and geo-location information from anyone 13 to 15 years old without the user’s consent;

Require consent of a parent or teen before sending targeted advertising to children and teens;

Require adherence to a “Digital Marketing Bill of Rights” for teens that encompasses the fair information practice principles of collection and retention limitations, purpose specification, data accuracy, access, and security;

Create an “eraser button” (or a “right to be forgotten” – the more elegant name by which it is known in Europe) by requiring covered online companies to permit users to remove publicly available personal information and content they have posted, when technologically feasible; and

Require the FTC to issue implementing regulations enforceable by both the FTC and state attorneys general. The new COPPA prohibitions would be enforceable by the FTC against telecommunications carriers, thereby effectuating a limited repeal of the “common carrier exemption” to the FTC’s jurisdiction.

It was a 2011 iteration of the Markey-Barton Do Not Track Kids Act, which did not advance in the last Congress, that introduced the concept of an “eraser button” for teens. California has since seized on the idea and run with it. As previously discussed in the Secure Times blog, California recently enacted an “eraser button” for California minors, which goes into effect on January 1, 2015. This is but one illustration of California’s recent willingness to take more aggressive action on privacy issues than Congress, while utilizing ideas trumpeted in Congress or elsewhere at the national level.

The Federal Trade Commission announced today that Certegy Check Services, Inc. has agreed to pay a $3.5 million fine to settle charges that it violated the Fair Credit Reporting Act (FCRA), 15 USC 1681 et seq. This is the FTC’s second highest fine in an FCRA matter, falling behind ChoicePoint, Inc., which paid a $10 million fine in an FCRA case filed by the FTC in 2006.

The FTC alleged that Certegy, which provides check authorization services to thousands of merchants, is a consumer reporting agency or CRA under Section 603(f) of the FCRA. As such, Certify is alleged to have violated a number of obligations under the FCRA, such as failing to:

Use reasonable procedures to assure maximum possible accuracy of consumer report information in violation of Section 607(b) of the FCRA;

Comply with Section 611 of the FCRA by seeking to “shift the burden of conducting a reinvestigation to consumers rather than fulfilling its legal obligation to reinvestigate disputed information”;

Create a streamlined process for consumers to obtain free annual reports, as required by Section 612(a)(l)(C)(i) of the FCRA and its implementing regulation, 12 CFR 1022, subpart N; and

Establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information it furnishes to other CRAs, as required by the Furnisher Rule, 12 CFR 1022, subpart E.

The roster of apps designed to protect privacy grew this week with the launch of Disconnect Kids, which bills itself as “[t]he first and only app that stops data about your browsing and app activity from ever leaving your iPhone or iPad.” The company claims its new app protects children from unwanted tracking by actively blocking requests for their personal data, filtering the biggest mobile trackers, allowing users to block and unblock the 20 most prevalent companies that track browsing and app activity, and teaching about online tracking and targeting. The app is offered on a “pay what you want basis.” Disconnect, based in Palo Alto, and jointly founded in 2011 by a former Google/ Doubleclick engineer and a consumer- and privacy-rights advocate, says its software, including Disconnect 2, a web-based desktop app, is used by more than one million people each week.

Disconnect’s motto is “Unwanted tracking is not cool.” It says it aims to bolster the protections afforded by the Children’s Online Privacy Protection Act or COPPA, enforced by the Federal Trade Commission through a revised rule that went into effect on July 1, 2013. The company notes that general audience third parties, e.g., plug-ins not geared specifically toward children, can collect personal data from another site without obtaining parental consent if the plug-in lacks actual knowledge it is doing so from a site directed to children under 13 years old.